The CCPA – An Expensive Trap for the Unwary
The California Consumer Privacy Act (“CCPA”)1 goes into effect in January of 2020. The act imposes obligations on any “Business” that collects consumer data in California, whether that is through a physical presence within the state or through a website which is accessed by a California consumer.2 The CCPA defines “Business” to include any for profit legal entity “that satisfies one or more of the following thresholds”:
1. Has annual gross revenues in excess of twenty-five million dollars;
2. “Annually buys, receives for the business’s commercial purposed, sells or shares…the personal information of 50,000 or more consumers, households;” or, 3. “[d]erives 50 percent or more of its annual revenues from selling consumers’ personal information.”3
The above thresholds will likely make the CCPA applicable to the financial industry, even though the CCPA is not explicitly directed towards the industry.
The CCPA affords California consumers four rights; (i) the right to know which of the consumer’s personal information is being collected, the source of the information, whether and to whom this information is being disclosed and/or sold; (ii) the right to prevent their personal information from being sold; (iii) the right to have their personal information deleted; and, (iv) the right to receive equal pricing and services from a business even if the consumer exercises its privacy rights under the CCPA.
Complying with the CCPA will be a major undertaking that may cost businesses anywhere from $467 million to $16.5 billion between 2020 and 2030.4 Further, the CCPA imposes draconian penalties for violations of its enactments as it empowers the Attorney General to seek civil penalties up to $7500 per violation of the act.5 Moreover, consumers may seek the greater of either: (i) statutory damages of $100 to $750 per consumer per incident; or, (ii) actual damages incurred.6 Below is a Recommended Plan of Action to help firms comply with the CCPA.
Recommended Plan of Action
1. Identification of Californian investors
The first step for a firm will be identification of all its investors that are California residents. This will allow the firm to ascertain the number and identity of investors that are considered California Consumers under the California Consumer Privacy Act.
2. Identification and collection of data
A firm would next identify the information that is collected from California consumers. This should include how the data is collected, where it comes from, how it is processed and used, how it is stored, and how it is shared, and if applicable, sold. This step is crucial not only for determining if personal data is currently and will be collected from California consumers but also for determining if a breach has occurred as the CCPA imposes a requirement that firms notify all California consumers of a data breach.
3. Update Disclosures, Privacy Policies, and Notices
Firms will need to add disclosures to their websites and privacy policies consistent with the CCPA (see below for examples of disclosure language). Privacy policies and other compliance policies should also be updated.
4. Prepare processes to address requests from consumers
5. Maintain vigilance over data security measures
Even after adopting data security measures, its effectiveness must be ensured by periodic testing, many firms in the securities and finance sector already conduct such testing but it is valuable for a firm to revisit this testing with special focus on consumer information security and controls.
6. Review the activities of your vendors to confirm that your vendors are complying
Firms must ensure that vendor access to personal information is controlled and that vendors who do have access to personal information use it only for the limited purpose explained in the agreement with that Vendor. The firm should also inspect vendor agreements to confirm that they are protected from liability through the vendor in the event of a breach. Further, Vendors agreements must include language that states that the vendor must provide notice in the event of a data breach.
7. Procedures if the firm sells personal information
If the firm sells personal information additional steps must be taken, the sale of the information must be commercially reasonable.
Deploying the recommended plan of action may go a long way toward avoiding the ire of California’s attorney general. California Attorney General Xavier Becerra has indicated that his office “will look kindly on those that…demonstrate an effort to comply [with the CCPA].” On the other hand, if businesses are not complying, he has threatened to “descend on them and make an example of them.”8
If you have questions about the information provided in this announcement, or for information about our CCPA compliance services, please email us at email@example.com, call Alaric at 888-243-2448, or visit our website, at www.alariccompliance.com.
This information is prepared by Alaric Compliance Services® LLC for general informational purposes only. It is not a full analysis of the matters presented and should not be relied upon as legal advice.
1 CAL. CIV. CODE § 1798.100 et seq.
2 The CCPA defines consumers as natural persons who are California residents. CAL. CIV. CODE § 1798.140.
3 CAL. CIV. CODE § 1798.140. The California Consumer Privacy Act also applies to any entity that controls or is controlled by an entity that meets these thresholds.
4 Bose, N. (December 10, 2019). California AG says privacy law enforcement to be guided by willingness to comply. Reuters.
5 CAL. CIV. CODE § 1798.150